No two organizations are the same. Each has unique objectives, challenges and opportunities and thus needs solutions that fit it exactly. Where most organizations are the same, however, is in their desire to focus the right level of effort in the right area at the right time – to ensure that expending limited resources brings the most benefits. If an organization wants to ”laser focus” on the most optimal solution it needs to understand what the threats are that are challenging its survival, what the organization’s capabilities are and where they want to be. By following the carpenter’s adage of “measure twice, cut once,” you can ensure a more efficient, cost-effective approach to business continuity. This article explains how a focused approach – beginning with a risk assessment and including taking a programmatic look at the solution – can help you develop or refine your business continuity strategy.
Too often, organizations try to go “end of job” when attempting to address their business continuity needs with detrimental results. In other words, they literally dive right into solution development and implementation without first evaluating their existing situation and understanding what their true strengths and weaknesses are, where they want to be, and what it takes to stay there. This approach can prove to be problematic because energy, time and money can be spent focusing on solutions that don’t necessarily address the problems being faced and that may not achieve the desired state. In fact, the subsequent strategies often lack objective insight, may be short-sighted in scope, and can be difficult to sustain. You should approach business continuity programmatically beginning with thorough risk assessments, a solid understanding of the impacts of a business interruption, and a detailed strategy that addresses not just how you will prepare for and respond to an incident, but also how you will maintain the edge on your capabilities over time.
Understand Your Risks and Impacts
To get started, you should have a solid understanding of the threats that can impact your most critical assets, whether those are people, business processes, or technology systems and data. An assessment of current risk controls and the impacts of a threat materializing can identify strengths and weaknesses, and highlight where stronger controls are needed. Impacts can identify assets requiring stronger controls due to their criticality to the organization, and enable priorities to be set for how those assets are protected – and if impacted, recovered. The balance between threats, impacts and risk controls, coupled with your organization’s “risk appetite,” helps to identify what threats are most critical to address due to vulnerabilities, business concerns, and opportunities that are presented. This allows the organization to focus on those areas by developing or enhancing risk controls that can include preventive or reactive measures, and span everything from personnel planning through to physical security, supplier relationships, business process resiliency measures, and technology resiliency and recovery capabilities. This first measure helps you to focus your organizations efforts and ensures the solution you target fits the problem you’re trying to resolve.
Do you have an enterprise wide view of the natural, intentional and accidental threats to your business environment, including your people, facilities, suppliers, partners, supply chain and technology systems / data? Do you know what threats carry the greatest likelihood to impact critical assets due to weaknesses in controls? Do you know the business criticality of your organization’s processes and time-criticality of the things those processes are dependent on, such as other processes, people, partners, systems and data that they depend on? Have you taken an inventory of business processes and supporting technologies in order to establish critical relationships and interdependencies?
Align Strategies With
Risks and Business Criticality
An effective business continuity program addresses measures focused on mitigating the most likely threats to your assets of greatest criticality. The measures put in place are built around detailed preventive and reactive strategies that are the key to ensuring an effective organizational resiliency and survivability solution.
The strategies should bring all of your capabilities to bear in order to address an incident – people, processes, partners, and technologies – and should span your enterprise business environment. Protecting one asset, in a linked value chain, protects none of them effectively. Strategies that only address technologies or facilities concerns may be too narrowly-focused and not sufficient to ensure the longevity of your organization in cases where there are regional issues or a loss of facilities that house business operations. Solutions that do not leverage the business’ resiliency (and people, partners, and processes that may be in place) are missing opportunities to accelerate recovery, enhance resiliency, or reduce solution costs. And capabilities that do not take into account the need for technology recovery in most cases limit themselves to short term scenarios, since it is rare to find a critical business process without technology systems and data dependency.
Finally, a strategy that doesn’t focus on people – on the awareness, communications, and training needed to develop the level of organizational readiness necessary – is a strategy that is not only incomplete but also missing leveraging one of the organization’s best assets. This second measurement ensures alignment of threats and solutions and makes sure you are considering and measuring all dimensions of your solution.
- Do your strategies align to those threats that have the greatest likelihood of impacting your organization? A solution that focuses on bringing in a mobile data center, when the chief threat is an ice-storm, doesn’t take into account the full scope of the threat to people, transportation, power, and fuel accessibility.
- Are your strategies comprehensive and do they take advantage of all of your capabilities? Do they leverage your manual processing capabilities? Leverage geographic diversity? Take advantage of partners and suppliers? Build on existing technology capabilities? Do they ensure the focus is on all of you assets (people, processes, and technologies/data) and not just one to the detriment of other?
Build Solutions That Will Last
Once a strategy is settled on and the solution is implemented – are you finished? The truth is you’ve only just begun. A solution’s effectiveness often peaks some time after the initial implementation due to validation exercises driving process and technology improvements that make the solution not just feasible but also consistently reliable and easily enacted. The first step after implementation then is to drive to that peak of effectiveness. This starts by ensuring that your solutions include not just the implementation effort and costs but also the long term need to continually validate the solution and drive improvements in your capabilities. Once the targeted peak is reached then the situation you will often find is that the height reached was really only the first in a series of plateaus of capability and the next level is one step up.
The need to continually improve your skills and capabilities thus never diminishes. This becomes an even greater ongoing challenge due to the ever present undertow that threatens to drag your capabilities down from their level of peak effectiveness. Technology, business and personnel changes and overall “organizational fatigue,” all can subtly undercut the gains made and leave your program a shell of what it was targeted to be – and your risks only slightly better mitigated after all of your efforts. So your strategies need to also focus on sustainability of your solution from a people, process, and technology perspective, and most importantly, from an organizational perspective. Developing the cultural commitment; ensuring there is ongoing training, awareness and communications; maintaining the sense of urgency and continually challenging the organization to get better are as important to your solution as the data protection and systems recovery strategies you develop. So when you “cut” the solution don’t forget about the long term components that need to be addressed since “measuring” and addressing those needs is critical to the long term viability and value of your capabilities.
Before implementing a business continuity solution, you need to develop a solid foundation of understanding as to what your critical risks are, what the impacts of a business disruption are, and how time-critical it is to recover business operations and the underlying people, processes and technologies. Strategies must be developed that align with these risks and priorities, take into account your enterprise, and leverage the full arsenal you can bring to bear: people, process, and technologies, as well as partners and suppliers. And the solutions implemented need to focus not only on the first 20 percent of the work – the implementation – but also the 80 percent of the effort required in honing the skills and capabilities and sustaining a viable solution that continues to deliver the value tomorrow that it was implemented to provide today.
It will never be simple or easy to ensure uninterrupted access to your mission-critical data and systems. However, with a structured approach you can efficiently get to an effective solution. Invest the time and effort in upfront analysis and strategizing, and you will develop an optimal strategy and program that meets your business continuity requirements—during day-to-day operations, planned interruptions or unplanned events. “Measuring twice and cutting once” is the best protection to ensure that a focused, effective and sustainable program is implemented that will bring long term value to the organization.
Your Next Steps
Approach your BC Program as a long term commitment by setting long term objectives and keeping the broad scope of the program in mind throughout all phases of development. Begin with a risk assessment that focuses your organization’s efforts. Follow through by developing strategies that align to those threats and that leverage every asset at your disposal. Finally, focus on your long term commitment to bringing the solution to its peak of effectiveness and keeping it there. By following these steps, and keeping the adage about “measuring twice and cutting once,” you can implement a more effective solution without wasting previous resources, either on the implementation or long term.
Bill Hughes is responsible for overseeing the product development, assessment and evolution of consulting services for SunGard’s Business Continuity/Disaster Recovery Center of Excellence. Throughout his career at SunGard, Hughes has been a key contributor and advisor on a number of strategic engagements, change agent for delivery and deliverable evolution and is involved in the development of strategic capabilities and services. Previously, Hughes served as the regional director of consulting services for SunGard in the Midwest. With more than 23 years of IT engineering and operations, program and project management and business continuity and disaster recovery experience, Hughes’ background provides a strong foundation of expertise with best practices for business and information availability and information technology services. Hughes holds a bachelor’s degree in applied physics from McMaster University in Ontario, Canada and is a member of the Project Management Institute and Association of Contingency Planners.